RootKit Detection Treasure Trove !

Not sure about shadowuser, but with deepfreeze, why bother with comparing dumped hives? Any hive that is changed will be restored upon reboot.

 

Hi,

***Hard drive's protection solutions like DeepFreeze/ShadowUser/DriveVaccine or DriveShield ( http://www.centuriontech.com/dsplus-about.htm ) are very innovative and interesting against rootkits.
Then choosing one of them is as usual a personal choice.

***I've recently read an interview of Holy Father, the author of Hacker Defender and it was said :"you can write a ( rootkit) detector, i can write a rootkit that bypasses this detector".

That's exactly what happens and why RootkiRevealer was updated recently.
Here the interview: http://infoworld.com/article/05/03/16/HNholyfather_1.html

***Karl levinson mentioned AVs.
From a personal point of view, i will not trust AVs as a rootkit's defense.
Many of them don't recognize the code of usuals ones (like AFXRootkit2005 which is just a variant of the old one).
If the rootkit has a falsified crc, it will also be difficult for scan engines.
Here's the answer of F-Secure searcher: http://www.vnunet.com/news/1162028

***In all cases, a rootkit is a package: the "root" is only the "door/access" to the system and the "kit" is the hidden file attached (often a stealth backdoor).

Therefore, if the root is difficult to detect without specialized tools, it will not be difficult to detect suspect remote connections.

TcpView, Fport, ActivePorts could not be enough, especially because some stealth bachdoors hides their connections (ICMP, ack...).

With advanced protocol analyzer and sniffer (WinDump, Ethereal etc), we can audit the local host to find if the system is compromised.

Andres Tarasco Acuna (from 3WDesign) who wrote RKDetector Proffessional, has a little utility scanner to detect the presence of Hacker Defender by his connection: RKDscan.

For the one who could be inerested, there is a pdf paper from the Cert which show how to audit a local host (but basically for the port scanning): Checking Microsoft Windows Systems for Signs of Compromise (direct download):

http://www.ucl.ac.uk/cert/win_intrusion.pdf

***Karl levinson has also mentioned some protection used by firms (http://www.securewave.com/sanctuary_DC.jsp).
But unfortunately we can't protect a single PC as computers used in corporate environment.
This young californian firm has also inetresting solutions (home and corporate), especially The Primary Response: http://www.sanasecurity.com/

But finally, if i have to choose 2 products against rootkits for a family's computer (used by all ages and level), i'll choose ProcessGuard for prevention and UnHackme for detection.
That's really enough for usuals rootkits.

Regards

 

Hi kareldjag,

Just to update your post, Holy Father announced today that he can now bypass both RootkitRevealer and F-Secure BlackLight. On the other side of things, RootkitRevealer was updated to 1.32 today (with no change log available). The only noticeable change is that the temporary executable now runs from \Local Settings\Temp, not \system32.

Nick

 

Hi,

Thanks for the official news Nick S.
It's always the funny "catch me if you can" game between Attack and Defense.

Regards

 

Great paper!

Thanks,

-Rmus

 

I'm amazed at how many people are totally *unaware* of rootkits.

Since once installed a rootkit cannot be removed -- at the present time, anyway -- it seems that the best prevention is to have as the last line of defense a lockdown program, such as ShadowUser, or Deep Freeze, and establish the practice of rebooting immediately after going off-line.

 

Hi,

*Spanner, i think that we turn around the subject, especially because there's too many repetitions and redundant informations and links.
I've already give the link to the eeye.digital paper more than a month ago:
https://www.wilderssecurity.com/showpost.php?p=382135

And here for Repscan (in a corporate environment):
https://www.wilderssecurity.com/showpost.php?p=423156

It's the same for the Primary Response from Sanasecurity which (as i've said it above) is a solution only intented for enterprises/firms.

Then it's perhaps unnecessary to repeat the same informations and it would be more honnest to give your source (for Wilders' ones).
But in all cases, i appreciate your enthusiasm for this subject and almost your clear and complete summarizes for each link.
Therefore take that as just a friendly remark.

*We can make a list of all IDS/NIDS/HIDS, AVs, ATs, Desktop protections, Honeypots, AntiRootkits specialized softs and finally we will not be able to find the ultimate solution.

Rootkits methods follow the technology and are in permanent evolution.
As it was said by Chopper ( https://www.wilderssecurity.com/showpost.php?p=423061 ) there is (or will) a new generation of rootkits exploiting motherboard and any exploit (like Buffer Overflow) and it will be really difficult to detect them.

*Microsoft searchers are very busy actually and after the GhostStrider project, they target worms with Control Flow Integrity and Vigilante:

Here's a quick overview: http://www.eweek.com/article2/0,1759,1772663,00.asp

Or one of the official page: http://research.microsoft.com/research/pubs/view.aspx?tr_id=868

But like GhostStrider, it's still a project.

*ADS/Metafiles

There is many useful free tools (ADSSpy, CrucialADS...) but one of the more interesting is ShowStream, By Jean-Claude Bellamy, a french Windows specialist: http://bellamyjc.net/fr/stream.html#showstream

With ShowStream, we can find, analyse, copy and export metafiles.

(........)

Regards